diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 7b44c75af8e9f4b49d013f852df03304a3761e3a..102892f41324a07a4ede9747634ca4ef60070dc6 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -2,6 +2,8 @@
Drupal 7.0, xxxx-xx-xx (development version)
----------------------
+- Security:
+ * Protected cron.php -- cron will only run if the proper key is provided.
- Usability:
* Implemented drag-and-drop positioning for input format listings.
* Provide descriptions for permissions on the administration page.
diff --git a/INSTALL.txt b/INSTALL.txt
index a15786c951d8d9b14ec2ba5591754e433721d4b0..93a627ce0b9d0249207ef36409f00e07e9080994 100644
--- a/INSTALL.txt
+++ b/INSTALL.txt
@@ -207,20 +207,30 @@ INSTALLATION
maintenance task, including search module (to build and update the index
used for keyword searching), aggregator module (to retrieve feeds from other
sites), and system module (to perform routine maintenance and pruning on
- system tables).
- To activate these tasks, call the cron page by visiting
- http://www.example.com/cron.php, which, in turn, executes tasks on behalf
- of installed modules.
+ system tables). To activate these tasks, visit the page "cron.php", which
+ executes maintenance tasks on behalf of installed modules. The URL of the
+ cron.php page requires a "cron key" to protect against unauthorized access.
+ Each cron key is automatically generated during installation and is specific
+ to your site. The full URL of the page, with cron key, is available in the
+ "Cron maintenance tasks" section of the "Status report page" at:
- Most systems support the crontab utility for scheduling tasks like this. The
- following example crontab line will activate the cron tasks automatically on
- the hour:
+ Administer > Reports > Status report
- 0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php
+ Most systems support using a crontab utility for automatically executing
+ tasks like visiting the cron.php page. The following example crontab line
+ uses wget to automatically visit the cron.php page each hour, on the hour:
+
+ 0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php?cron_key=RANDOMTEXT
+
+ Replace the text "http://www.example.com/cron.php?cron_key=RANDOMTEXT" in the
+ example with the full URL displayed under "Cron maintenance tasks" on the
+ "Status report" page.
More information about cron maintenance tasks are available in the help pages
- and in Drupal's online handbook at http://drupal.org/cron. Example scripts can
- be found in the scripts/ directory.
+ and in Drupal's online handbook at http://drupal.org/cron. Example cron scripts
+ can be found in the scripts/ directory. (Note that these scripts must be
+ customized similar to the above example, to add your site-specific cron key
+ and domain name.)
DRUPAL ADMINISTRATION
---------------------
diff --git a/cron.php b/cron.php
index f242ee782ee0a47f6968d7d59737f74223cc4f4c..e40dc2d9be8f73623b820d501cae989e3bd6307b 100644
--- a/cron.php
+++ b/cron.php
@@ -8,4 +8,6 @@
include_once './includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
-drupal_cron_run();
+if (isset($_GET['cron_key']) && variable_get('cron_key', 'drupal') == $_GET['cron_key']) {
+ drupal_cron_run();
+}
\ No newline at end of file
diff --git a/modules/system/system.install b/modules/system/system.install
index 8e0cb94091e97b96a70ccf6e0629dc778f7c1717..c1854b20fb3cc6ad1fd32d99bec6ae6e632428b4 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -170,11 +170,14 @@ function system_requirements($phase) {
}
}
+ $description .= ' '. $t('You can run cron manually.', array('@cron' => url('admin/reports/status/run-cron')));
+ $description .= '
'. $t('To run cron from outside the site, go to !cron', array('!cron' => url('cron.php', array('absolute' => true, 'query' => 'cron_key='. variable_get('cron_key', 'drupal')))));
+
$requirements['cron'] = array(
'title' => $t('Cron maintenance tasks'),
'severity' => $severity,
'value' => $summary,
- 'description' => $description .' '. $t('You can run cron manually.', array('@cron' => url('admin/reports/status/run-cron'))),
+ 'description' => $description
);
}
@@ -404,6 +407,10 @@ function system_install() {
db_query("INSERT INTO {variable} (name, value) VALUES ('%s','%s')", 'filter_html_1', 'i:1;');
db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'node_options_forum', 'a:1:{i:0;s:6:"status";}');
+
+ $cron_key = md5(time());
+
+ db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'cron_key', serialize($cron_key));
}
/**